diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-25 11:48:52 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-25 16:53:22 +0200 |
| commit | 89b60bc18ca76e45b1682d8c56a0d01fffedebad (patch) | |
| tree | adb11ee9284ffccdfdcbee09a5bc96ef60f800af | |
| parent | bd976ab13b4d57ebf5d02459c360905a76af9e58 (diff) | |
mnl: handle singleton element in netdevice set
expr_evaluate_set() turns sets with singleton element into value,
nft_dev_add() expects a list of expression, so it crashes.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1676
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/mnl.c | 46 | ||||
| -rwxr-xr-x | tests/shell/testcases/chains/0042chain_variable_0 | 4 | ||||
| -rw-r--r-- | tests/shell/testcases/chains/dumps/0042chain_variable_0.nft | 4 |
3 files changed, 40 insertions, 14 deletions
@@ -720,31 +720,49 @@ err: */ struct nft_dev { - const char *ifname; - struct location *location; + const char *ifname; + const struct location *location; }; -static struct nft_dev *nft_dev_array(const struct expr *dev_expr, int *num_devs) +static void nft_dev_add(struct nft_dev *dev_array, const struct expr *expr, int i) { - struct nft_dev *dev_array; unsigned int ifname_len; char ifname[IFNAMSIZ]; + + ifname_len = div_round_up(expr->len, BITS_PER_BYTE); + memset(ifname, 0, sizeof(ifname)); + mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN, ifname_len); + dev_array[i].ifname = xstrdup(ifname); + dev_array[i].location = &expr->location; +} + +static struct nft_dev *nft_dev_array(const struct expr *dev_expr, int *num_devs) +{ + struct nft_dev *dev_array; int i = 0, len = 1; struct expr *expr; - list_for_each_entry(expr, &dev_expr->expressions, list) - len++; + switch (dev_expr->etype) { + case EXPR_SET: + case EXPR_LIST: + list_for_each_entry(expr, &dev_expr->expressions, list) + len++; - dev_array = xmalloc(sizeof(struct nft_dev) * len); + dev_array = xmalloc(sizeof(struct nft_dev) * len); - list_for_each_entry(expr, &dev_expr->expressions, list) { - ifname_len = div_round_up(expr->len, BITS_PER_BYTE); - memset(ifname, 0, sizeof(ifname)); - mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN, - ifname_len); - dev_array[i].ifname = xstrdup(ifname); - dev_array[i].location = &expr->location; + list_for_each_entry(expr, &dev_expr->expressions, list) { + nft_dev_add(dev_array, expr, i); + i++; + } + break; + case EXPR_VALUE: + len++; + dev_array = xmalloc(sizeof(struct nft_dev) * len); + nft_dev_add(dev_array, dev_expr, i); i++; + break; + default: + assert(0); } dev_array[i].ifname = NULL; diff --git a/tests/shell/testcases/chains/0042chain_variable_0 b/tests/shell/testcases/chains/0042chain_variable_0 index 58535f76..f71b0415 100755 --- a/tests/shell/testcases/chains/0042chain_variable_0 +++ b/tests/shell/testcases/chains/0042chain_variable_0 @@ -25,11 +25,15 @@ table netdev filter2 { $NFT -f - <<< $EXPECTED EXPECTED="define if_main = { lo, dummy0 } +define lan_interfaces = { lo } table netdev filter3 { chain Main_Ingress3 { type filter hook ingress devices = \$if_main priority -500; policy accept; } + chain Main_Egress3 { + type filter hook egress devices = \$lan_interfaces priority -500; policy accept; + } }" $NFT -f - <<< $EXPECTED diff --git a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft index 12931aad..5ec230d0 100644 --- a/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft +++ b/tests/shell/testcases/chains/dumps/0042chain_variable_0.nft @@ -12,4 +12,8 @@ table netdev filter3 { chain Main_Ingress3 { type filter hook ingress devices = { dummy0, lo } priority -500; policy accept; } + + chain Main_Egress3 { + type filter hook egress device "lo" priority -500; policy accept; + } } |